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DETAILED ACTION 
Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 9 May 
2006 has been entered. 

2. In response to the previous office action, Applicant has amended claims 24, 29, 
30, and 43. Claims 24, 26-31 , 33-44, and 46-54 have been examined. 

Claim Objections 

3. Claim 30 is objected to because of the following informalities: Thei second 
limitation recites "generating a hash from a one random salt value and input data...". It 
is being presumed that "a one" should read as "one." Appropriate correction is required. 



Claim Rejections - 35 USC §112 
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The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

4. Claims 29 and 43-54 are rejected under 35 U.S.C. 112, first paragraph, as failing 
to comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
one skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

Claim 29 recites that a salt value is user-specific; in the original disclosure, the 
salt is application-specific, with its creation being triggered by a user (see Specification, 
p. 5, lines 24-25). 

Claim 43 recites the step "generate a hash from the plurality of random salt 
values and input data, each salt value only associated with one specific software 
application, the input data including a user identification and a strong password." No 
support can be found in the original disclosure for the generation of a hash that is 
derived from more than one of the salt values. In view of Applicant's specification, it is 
being presumed that the hash is derived from one of the salt values in addition to the 
input data. 

Claims 44-54 depend from rejected claim 43, and include all the limitations of 
that claim, thereby rendering those dependent claims as failing to comply with the 
written description requirement. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 30, 33-38, 40, 43, 46-50, and 52 are rejected under 35 U.S.C. 103(a) as 
obvious over U.S. Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 
6,826,686 to Peyravian et al. further in view of Schneier, "Applied Cryptography," 1996, 
pp. 165-166 and 429-431. 

Regarding claims 30, 33, 34, 36, 37, 40, 43, 46-49, 50, and 52, Abadi discloses a 
method for constructing a password specific to a service (an application) by hashing the 
name of the service (input data) from the user (see column 3, lines 4-5), a master 
password (the strong password) and the user name (see abstract). The password is 
then submitted to the application (see column 3, lines 60-62). The system is designed to 
construct passwords for all services which a user uses, including client software 
applications (see column 2, lines 41-56). 

Abadi does not explicitly describe the use of a random salt in password creation. 

Peyravian discloses the integration of a client-specific and a server-specific 
random number hashed with a userjd and master user password (see column 4, lines 
32-57), and suggests that this allows for password agreement without the need for a 
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key pair or agreed-upon key while preventing replay attacks (see column 2, line 66 to 
column 3, line 10). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention of Abadi by integrating a client-specific and 
a server-specific random number hashed with a userjd and master user password, as 
disclosed by Peyravian, as this allows for password agreement without the need for a 
key pair or agreed-upon key while preventing replay attacks. 

Given that Abadi maintains separate entries for the parts of the password for 
each application, save for the global master password (see Abadi, figure 2) and that 
Peyravian discloses a random number to be hashed that is client/server specific, it is 
reasonable that one skilled in the art, when incorporating Peyravian into Abadi, would 
maintain a list of application-specific salts that would be populated by a plurality of 
application-specific salts after a plurality of applications have been invoked (as is done 
in Applicant's specification). 

Abadi also does not disclose passwords that are only valid for a specified time 

period. 

Peyravian further discloses the use of time-out mechanisms to maintain the 
secrecy of passwords (see column 4, lines 21-24). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to further modify the invention of Abadi by incorporating a time- 
out mechanism, as disclosed by Peyravian, to maintain the secrecy of passwords. 



Application/Control Number: 09/753,257 Page 6 

Art Unit: 2134 

Using Abadi in view of Peyravian, a user would only need to remember the 
master password. 

Abadi and Peyravian only disclose the computing of the hash a single time. 

Schneier discloses an algorithm for iteratively hashing a value any number of 
times (see "Length of One-Way Hash Functions," pp.430-431), and notes that additional 
hashing increases resistance to birthday attacks (see pp. 429-430; a description of 
birthday attacks in found on pp. 165-166). 

Therefore it would been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention of Abadi and Peyravian by hashing a value 
multiple times, as disclosed by Schneier, to increase resistance to birthday attacks. 

As per claim 35, a single master password is used to create multiple application 
passwords. 

Regarding claims 34, 47, and 48, Abadi does not disclose a mechanism for 
changing passwords if it is determined that a change is necessary. 

Peyravian discloses a mechanism for changing passwords if the master 
password is changed (due to a time-out, for example), because the password may have 
been discovered by someone else (see whole document, especially column 4, lines 21- 
31). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to modify the invention of Abadi by supplying a mechanism to 
change passwords is the master password needs changing, as disclosed by Peyvarian, 
because the password may have been discovered by someone else. 
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As per claim 38, a networked system is used (see Abadi, column 2, lines 21-23). 

6. Claims 31 and 44 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 6,826,686 to Peyravian 
et al. in view of Schneier, "Applied Cryptography," 1996, pp. 165-166 and 429-431 as 
applied to claims 30 and 43 above and further in view of U.S. Patent No. 6,006,333 to 
Nielsen. 

Over and above what is described and Abadi, Peyravian, and Schneier above, 
Abadi discloses the generation of user names for storage in a set of user names (203), 
which is then retrieved to generate the password (see column 3, lines 22-45). 

Abadi, Peyravian, and Schneier do not specifically disclose a test to see if the 
user name already exists. 

Nielsen discloses a system for maintain passwords for different applications 
wherein there is a check to see if a password exists, and an entry may be created if 
none exists. This is done to allow the user to register at the new site (see column 5, 
lines 40-61). 

Therefore it would be obvious to one of ordinary skill in the art to modify the 
invention of Abadi, Peyravian, and Schneier by checking to see if a password exists, 
and an create an entry if none exists, as disclosed by Nielsen, in order to allow the user 
to register at the new site. 
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7. Claims 39 and 51 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 6,826,686 to Peyravian 
et al. in view of Schneier, "Applied Cryptography," 1996, pp. 165-166 and 429-431 as 
applied to claims 30 and 43 above and further in view of U.S. Patent No. 6,064,736 to 
Davis et al. 

Abadi, Peyravian, and Schneier do not disclose the algorithm to be used in the 
construction of the hash. 

Davis discloses the use of the MD5 algorithm for constructing a password hash, 
and suggests that this allows a server to transport information safely to a client (see 
column 3, lines 56-65). 

Therefore it would be obvious to one of ordinary skill in the art to modify the 
invention of Abadi, Peyravian, and Schneier by using the MD5 algorithm for constructing 
the password hash, as disclosed by Davis, as this allows a server to transport 
information safely to a client. 

8. Claims 41, 42, 53, and 54 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 6,141,760 to Abadi et al. in view of U.S. Patent No. 
6,826,686 to Peyravian et al. in view of Schneier, "Applied Cryptography," 1996, pp. 
165-166 and 429-431 as applied to claims 30 and 43 above, and further in view of U.S. 
Patent No. 6,601,175 to Arnold et al. 

Abadi in view of Peyravian does not provide for a password that is only valid for a 
limited time period based on platform activity. 
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Arnold discloses the derivation of limited-time passwords for local computer use 
or remote administration, which can be created on an as-needed basis (based on 
platform activity), and further suggests that this is done to prevent a user from re- 
configuring a computer after learning the administrative password (see column 5, lines 
10-44). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention disclosed by Abadi, Peyravian, and 
Schneier by supporting limited-time passwords, as disclosed by Arnold, to prevent a 
user from re-configuring a computer after learning the administrative password. 

Allowable Subject Matter 

9. Claims 24 and 26-28 are allowed. 

10. The following is a statement of reasons for the indication of allowable subject 
matter: 

Claim 24 as amended recites that salt values are to be generated for each of the 
applications in a list having a plurality of names of applications. The previously cited art 
maintains lists of applications (also see U.S. Patent No. 6,006,333 to Nielsen) and 
relevant password data, but all of the password information is created on an ad hoc 
basis as the applications are accessed, rather than together in a single step. 

Claims 26-28 are allowable based upon their dependence upon claim 24. 
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Response to Arguments 

1 1 . Applicant's arguments, see Remarks, filed 19 December 2005, with respect to 
the rejections of the claims under 35 U.S.C. 103 have been fully considered and are 
persuasive in view of Applicant's amendments. Therefore, the rejection has been 
withdrawn. However, upon further consideration, new grounds of rejection are made in 
view of the previously cited art in view of Schneier. 

Conclusion 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew E. Heneghan, whose telephone number is 
(571) 272-3834. The examiner can normally be reached on Monday-Friday from 8:30 
AM - 4:30 PM Eastern Time. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Jacques Louis-Jacques, can be reached at (571) 272-6962. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 2231 3-1 450 
Or faxed to: 

(571)273-3800 
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Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (571) 272- 
2100. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



MEH 




August 8, 2006 



Matthew Heneghan, USPTO Art Unit 2134 



